Bug 752326 - Add boolean for mysql my.cnf access
Summary: Add boolean for mysql my.cnf access
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-09 07:40 UTC by Felix Kaechele
Modified: 2011-11-21 07:59 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-11-21 07:59:46 UTC
Type: ---


Attachments (Terms of Use)

Description Felix Kaechele 2011-11-09 07:40:26 UTC
In my shared webhosting scenario I have set up several services to query a MySQL Database for user and password info. It seems that as soon as an application is linked to the mysql client libs and tries to perform a database lookup it tries to open the mysql configuration file my.cnf. SELinux' current policy denies this access making the lookup fail.

I'd opt for a boolean that allows access to the my.cnf for such services.

So far audit2allow gives me the following:
allow dovecot_t mysqld_etc_t:file { read getattr open };
allow groupadd_t mysqld_etc_t:file { read getattr open };
allow local_login_t mysqld_etc_t:file { read getattr open };
allow named_t mysqld_etc_t:file { read getattr open };
allow pam_console_t mysqld_etc_t:file { read getattr open };
allow postfix_bounce_t mysqld_etc_t:file { read getattr open };
allow postfix_cleanup_t mysqld_etc_t:file { read getattr open };
allow postfix_master_t mysqld_etc_t:file { read getattr open };
allow postfix_pickup_t mysqld_etc_t:file { read getattr open };
allow postfix_qmgr_t mysqld_etc_t:file { read getattr open };
allow postfix_smtpd_t mysqld_etc_t:file { read getattr open };
allow postfix_smtp_t mysqld_etc_t:file { read getattr open };
allow procmail_t mysqld_etc_t:file { read getattr open };
allow sendmail_t mysqld_etc_t:file { read getattr open };
allow sshd_t mysqld_etc_t:file { read getattr open };
allow system_dbusd_t mysqld_etc_t:file { read getattr open };
allow useradd_t mysqld_etc_t:file { read getattr open };

Versions:
selinux-policy-3.10.0-51.fc16.noarch
selinux-policy-targeted-3.10.0-51.fc16.noarch

Comment 1 Daniel Walsh 2011-11-09 16:24:14 UTC
Add a policy for this

cat mynsswitch.te 
policy_module(mynsswitch, 1.0)
gen_require(`
        attribute nsswitch_domain;
')

mysql_read_config(nsswitch_domain)

Comment 2 Felix Kaechele 2011-11-21 07:59:46 UTC
Works for me and so far I'm happy with the solution.
Closing.


Note You need to log in before you can comment on or make changes to this bug.